[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Issue 163: Document how to support out of band encryption keyknown to both parties
Issue 163
I recorded this issue as 163 after the last call pointing to one of the mails below. I will update the description of the issue and update the link to point to this message in the next update.
Thanks Rich.
-----Original Message-----
From: Rich Levinson [mailto:rich.levinson@oracle.com]
Sent: Wednesday, February 06, 2008 7:34 PM
To: ws-sx@lists.oasis-open.org
Cc: Marc Goodner
Subject: NEW Issue: Document how to support out of band encryption key known to both parties
PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSION THREAD UNTIL THE ISSUE IS ASSIGNED A NUMBER.
The issues coordinators will notify the list when that has occurred.
Protocol:
ws-sx examples 17-07
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.pdf
ws-sp 1.2
http://www.oasis-open.org/committees/download.php/26176/ws-sp-usecases-examples-draft-17-07.doc
Artifact: spec / policy
Type:
editorial
Title:
Document how to support out of band encryption key known to both parties
Description:
These emails describe the problem in detail:
http://lists.oasis-open.org/archives/ws-sx/200712/msg00027.html
http://lists.oasis-open.org/archives/ws-sx/200801/msg00000.html
http://lists.oasis-open.org/archives/ws-sx/200801/msg00001.html
http://lists.oasis-open.org/archives/ws-sx/200801/msg00010.html
http://lists.oasis-open.org/archives/ws-sx/200801/msg00011.html
The basic problem is that there is a sample use case for WS-Security
in one of the WS-Security interop documents:
http://www.oasis-open.org/committees/download.php/11375/wss-interop2-draft-06-merged.doc
see Chapter 3: "Scenario #4 Session Key".
It is not clear to the author of the 1st email how to use ws-sp to
model that use case. The follow-on emails suggest one, and possibly
two ways to do it. The author agreed to the suggested resolutions
and suggested that the resolution be documented for future reference.
http://lists.oasis-open.org/archives/ws-sx/200801/msg00010.html
This issue is raised against the ws-sx examples doc as a place where
one of the examples could be modified to show an option which documents
the suggested resolution.
The issue is also raised against ws-sp spec, because it has been
suggested in TC mtg (Hal) that possibly the custom URI suggested
by the author of the original issue
Related issues:
None
Proposed Resolution:
I suggest updating examples doc: In section 2.2.2 of that document
is a use case called "(WSS1.0) Mutual Authentication with X.509
Certificates, Sign, Encrypt".
This example could be readily modified to explain how to do the
case described in the emails above as well.
I am not sure about updating the ws-sp spec as Hal suggested be
considered. If we were to update it, we could possibly put some
explanatory text in section 5.4.2, where it already mentions that
"This assertion is used in 3rd party scenarios. For example,
the initiator may need to request a SAML token from a given
token issuer in order to secure messages sent to the recipient."
But it goes no further in the description of 3rd party scenarios.
Imo, the example above with the out of band encryption key is functionally
equivalent to a token supplied by a 3rd party, where the IssuedToken
assertion mechanism is used to identify the Issuer and carry the Token
but does not actively engage in how that token is used except by
whatever implicit context the IssuedToken itself is used.
Therefore my inclination is to not document this in the ws-sp spec,
or, if so, by only indicating with a brief phrase something like
"out of band shared encryption keys are an example of how an
IssuedToken might be put to use."
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]